US high-tech companies have long complained that the lack of
crypto-export restrictions in other countries hampers their ability to
compete abroad. The relief they have sought was relaxing US strictures,
not tightening those of other nations. But US crypto ambassador
David Aaron has been working behind the scenes to convince other
countries to do just that. On 3 December Aaron held a press
conference to claim victory in these efforts
[1]. The 33 signatory nations
to the Wassenaar Arrangement
[2] have agreed to new rules. (Note:
turn off graphics before visiting
[2]: it loads 33 gratuitous GIF
images of waving flags with mouseovers for a total footprint of 353K.)
In summary, the new rules state:

All crypto products of up to 56 bits can be freely exported.

Mass-market crypto software and hardware of up to 64 bits can
be freely exported.

The export of products that use encryption to protect
intellectual property, such as DVDs, has been relaxed.

Export of all other crypto still requires a license.

No alteration was made in the ambiguous area of whether
Wassenaar covers intangible exports (such as via the Internet).

The Wassenaar provisions are not themselves binding on signatory
nations; each nation must enact its own laws to implement the rules.

Some accounts of Wassenaar have interpreted the new rules to allow
the free export of any public-domain crypto of any strength,
including Open Source products such as SSLEAY. My reading of the
agreement itself
[3] is that such products are exportable only if they
meet the other requirements outlined above; in other words it would
not be legal to export PGP.

A Norwegian poster to the Cryptography list asked his ministry of
foreign affairs for a clarification on exactly where Open Source
software falls, and was told that it is compliant with what
Wassenaar calls "public domain" software.

In a speech on 7 December
[4], US Commerce Department official
William Reinsch said:

A posting to Cryptography quoted a newspaper article in which the
Finnish prime minister gave his views on the new Wassenaar rules. He
noted that "the United States is in a very powerful position" but
said that Finland will not alter its liberal principles in
encryption politics.

Denmark is reported to be in a political uproar because the Danish
official who signed the Wassenaar accord did not have proper
parliamentary standing to do so -- and the new rules run counter to
current Danish crypto policy. The upshot could be a formal
renunciation of the accord by Denmark, which would render it invalid
everywhere.

In its antitrust defense Microsoft argues that the government has no
business interfering with a company's choices in product
development. But the US government's National Security Agency has long
taken an active role in product development, according to this CNN
story
[6]
-- working with Microsoft as well as a host of other
companies to limit available crypto technology. What's behind the US
push to restrict crypto strength domestically and world-wide? Most
observers of the crypto-political scene dismiss the official
explanation that crypto must be limited to thwart criminals and
terrorists. The bad guys have, after all, had access on the open Internet
to strong-crypto source code since 1991.

This quote from Ross Anderson, with a preface by Peter Gutmann, makes
plain the assumption, widely held in cypherpunk circles, that it all
starts with Echelon
[7].

This is probably the best one-sentence summary of export
controls I've seen. It predates the recent Wassenaar
announcement by about half a day, but is even more
appropriate in the aftermath:

"The real aim of current policy is to ensure the continued
effectiveness of US information warfare assets against
individuals, businesses, and governments in Europe and
elsewhere." -- Ross Anderson

In other words, those who want strong crypto restrained are, first
and foremost, protecting the UKUSA franchise in filtering and
monitoring worldwide communications in real time.

Bert-Jaap Koops <e.j.koops at kub dot nl> has updated his Crypto Law Survey
[8] with news from Wassenaar and updates on the laws of 15
countries. And now Koops's PhD thesis, titled The Crypto Controversy,
has been published by Kluver Law International
[9]. So far the book
has not appeared on Amazon.com, but you can order it directly from
KLI
[10] for $87 US.

Phil Agre doesn't usually wax emotional about issues of technology
and culture; his 16 December piece on cyberwar
[11] is an exception.
Agre attended a conference at which several honest and sincere
representatives of the US defense establishment presented a seemingly
new military doctrine for the online world. They proclaimed that
there is, as of now, no boundary line between military and
non-military facilities. Agre writes:

In the world of the Internet, it would seem, ...we are now in...
permanent, total, omnipresent, pervasive war. Cold War
plus plus: all war, all the time. They said this.

Please read Agre's closely argued, anguished musings about these
developments
[11], and see if you don't wax emotional too.

A word on one of Agre's asides: in writing about the styles of
reaction against such military thinking, Agre characterizes one
group of old-line Netizens in words that strike close to home:

You may recall that, as recently as a couple of years ago,
proponents of the cyberspace ideology filled the Internet
with manifestos against the Communications Decency Act and
many other bad actions on the part of the government. Where
have those people gone? Some of them remain in business, of
course, including many of the sensible ones, but they no
longer come close to defining the Internet's culture.

I don't know whether or not Agre considers me one of the sensible
ones. But I am certainly still in business, doing my level best
to perpetuate those aspects of the roots of Internet culture most
worthy of emulation -- trying to alter an occasional reader's
viewpoint -- for the eye, altering, alters all.

After reading about India's proposal to enable monitoring of Net
traffic, Ant Brooks <ant at hivemind dot net> sent word of a similar
proposal
[12] (360K) circulating in South Africa. The discussion paper
from the South African Law Commission proposes requiring telecomms
and service providers (read: ISPs) to ensure, at their own expense,
that all communications can be intercepted and monitored. Brooks
writes:

These suggestions (although disturbing enough) are nowhere
near as drastic as the measures being proposed in India, but
because South Africa is the most connected country on the
continent, I suspect that this is just the tip of the
African iceberg on the issue...

As I type, I'm sitting in the auditorium attending the
African Internet Group conference in Cotonou in Benin, West
Africa. It is apparent that the governments of many African
countries have not even begun to consider these issues, and
given the high level of control that some of our governments
exercise on other telecommunications services, I have some
concerns about the future of Internet freedom in Africa.
Hopefully, current processes of educating government about
the Internet and Internet governance underway here will
minimise any nasty legislation.

Recent news from the Microsoft antitrust trial
[13] is full of
allegations and counterclaims around the testimony of Edward Felton, a
Princeton computer scientist who wrote a program that he claims
removes Internet Explorer from Windows 98. Microsoft says this cannot
be done because Internet Explorer is an integral part of Windows.
So far the trial has not been informed of the more fruitful efforts
of an Australian biologist at the University of Maryland. Shane
Brooks's 98lite installer
[14] does a clean installation of Windows
98 without most pieces of, and without the functionality of, the
Internet Explorer integration. 98lite saves at least 34 MB over a
standard installation, and after adding back the Explorer shell
from Windows 95, Brooks claims that his 133-MHz Pentium machine
operates far faster than before. As of 15 December Microsoft was still
evaluating 98Lite, but a spokesman said that the modification
appears not to be good for end users: "The initial impression is this
process seems to retard and replace many of the core functions that
users benefit from in Windows 98"
[15]. Brooks claims he is merely
helping users assert their own choice of components and technologies
that may be appropriate for a high-end machine but not for an older
one. Techweb asserts
[15] that choosing to run 98lite will forfeit
you the benefit of any future Microsoft support.

Acquisition makes sense from many points of view, not including fair use

This rumor
[16] disquiets me -- such an acquisition could not be good
news for fans of the fair use doctrine for intellectual property.
Reed Elsevier is in the top 5 worldwide as a publisher of technical,
professional, and legal books and magazines. (And corresponding Web
content of course.) Reed Elsevier owns LEXIS-NEXIS, a major database
publisher which has been (with West Publishing) at the center of
recent battles over the copyrighting of database contents. The
company has a close technical relationship with Microsoft. RE is in a
management transition and is seeking a new president. Shares of both
Reed (traded in London) and Elsevier (Amsterdam) have been hammered
lately so the company may look like a bargain to Microsoft. Reed
shares rose 5.2% on the rumor and Elsevier was up 4%.

Network Associates has released news
[17] of a new, highly
sophisticated virus named Remote Explorer that targets Windows NT systems
on a network. The virus is said to exhibit self-replicating and
propagating behavior typical of what is more commonly termed a
"worm." NAI did not identify the company at which the virus was
discovered, but MCI Worldcom has acknowledged that it was the
victim. MCI Worldcom downplays the seriousness of the attack while NAI
plays it up. Here is a detailed description of Remote Explorer and
a "detection and cleaning" file for NAI's VirusScan NT and NetShield
NT products
[18].

On 8 December Sun announced that it would make Java source code
available under a new click-and-download "community source" program
[20]. Java licensing will be free (initially) to a larger community
than currently, but Sun will collect more royalties over time under
the new scheme. Saying it was still finalizing details of pricing
and availability, Sun has delayed introducing community source until
late January 1999 at the earliest
[21].

Note added 1998-12-24: Stig <stig at hackvan dot com> has analyzed
[21a]
the initially
published Sun Community Source License, which he calls Skizzle, in comparison
to other Open Source licensing models. He concludes that
it has similarities to the Mozilla license and some
improvements that should be studied by the Open Source community.
(Stig's book on Open Source licensing will be published by
O'Reilly in the spring.)

If you're the sort who enjoys a decorated tree at this time of year,
visit this site
[22] sometime during the 12 Days of Christmas. Its
controls let you turn on or off various lights on and around a tree
in a laboratory in The Netherlands, and see the results (via server
push) more or less in real time. Drop by the statistics page
[23]
for a tongue-in-cheek cost calculation of this experiment's
electrical energy use since 10 December. Here are the site's history, rationale,
and credits
[24]. Many thanks to Dan Kalikow <drdan at kalikow dot com> for
the pointer. And to all a good night.

Emendation: At the request of Anton Sherwood I've modified the
definition of the Jargon Scout term STFW
[26] to "Search the flinking Web,"
not "Surf the fine Website" as originally published in the previous
issue. Also noted is Julian Harris's claim to have originated the
alternate form "STFN."

Apology: Some of you took offence at a certain oblique reference in
the previous TBTF to the Church of Rome. I apologize to all those
so offended; be assured I intended no disrespect.

This will be the last issue of 1998. Remember, you have until midnight
Eastern time on 31 December 1998 to file your predictions in the
1999 TBTF readers' prognostication contest
[27]. Good luck and good
foresight.